Re: PermitRootLogin enabled by default

To: John Galt <galt@inconnu.isu.edu>
Cc: Alvin Oga <aoga@Maggie.Linux-Consulting.com>, Christian Egli <christian.egli@wyona.com>, Simon Kirby <sim@netnation.com>, Debian-Security <debian-security@lists.debian.org>
Subject: Re: PermitRootLogin enabled by default
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 27 Jun 2002 09:02:26 +0100
Message-id: <[🔎] 86it45kv3h.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] Pine.LNX.4.44.0206261843190.5070-100000@inconnu.isu.edu>
References: <[🔎] Pine.LNX.4.44.0206261843190.5070-100000@inconnu.isu.edu>

John Galt <galt@inconnu.isu.edu> writes:

> that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
> using standard security practice at that point, it's just for
> convenience's sake, the user had a few things screened, including a
> rootshell, probably because of the traditional Conventional Wisdom of not
> permitting any remote logins of root. I find this kind of ironic in
> another sense, as Dug Song is the author of a Man in the Middle tool that
> works against older SSHes....

Depends.. if you manage to intercept the user's password, you can type it
into sudo just like they do and get the same level of root privelege. In
that case, not leaving screen running would have still been as bad.
No doubt this is why tightening sudo down is a good idea.

~Tim
-- 
<http://spodzone.org.uk/>

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: PermitRootLogin enabled by default
  - From: John Galt <galt@inconnu.isu.edu>

Prev by Date: [Fwd: Re: OpenSSH 3.4 released... should FIX problems]
Next by Date: Re: [d-security] Re: DSA-134-1
Previous by thread: Re: PermitRootLogin enabled by default - yuppers
Next by thread: Re: PermitRootLogin enabled by default
Index(es):
- Date
- Thread